fix: API 全部改用显式两步走 await session.execute + result.scalars()

之前 (await ...).scalars() 链式在 SQLAlchemy 2.0 async 下报
'coroutine' has no attribute 'scalars' 错误。改为先 await 拿 result
再 .scalars(),这是 SQLAlchemy 2.0 推荐的 async 写法。

backend/app/api/auth.py

@@ -34,11 +34,8 @@ def _pair_for(user: User) -> TokenPair:
 
 @router.post("/login", response_model=TokenPair)
 async def login(body: LoginRequest, session: AsyncSession = Depends(get_session)):
-    user = (
-        await session.execute(select(User).where(User.username == body.username))
-        .scalars()
-        .first()
-    )
+    result = await session.execute(select(User).where(User.username == body.username))
+    user = result.scalars().first()
     if not user or not user.is_active or not verify_password(body.password, user.password_hash):
         raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid credentials")
     user.last_login_at = datetime.now(timezone.utc)
@@ -55,11 +52,8 @@ async def refresh(body: RefreshRequest, session: AsyncSession = Depends(get_sess
         uid = int(payload["sub"])
     except (InvalidTokenError, KeyError, ValueError):
         raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid refresh token")
-    user = (
-        await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))
-        .scalars()
-        .first()
-    )
+    result = await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))
+    user = result.scalars().first()
     if not user:
         raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found")
     return _pair_for(user)